networked medical devices: security and privacy threats - symantec
TRANSCRIPT
TS
Networked Medical Devices: Security and Privacy Threats Healthcare IT at a crossroads
Networked Medical Devices: Security and Privacy Threats
CONTENTS
The government’s role: integration and privacy mandates . . . . . . . . . . . . . 3
The CHIME member survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Participants and devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Experience and concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Introduction
Healthcare information technology (IT) uses many of the same infrastructure
elements, applications, off-the-shelf technologies, and processes used by enterprise IT
in general. But healthcare networks are unique in two important respects. First, they
contain and transmit information that is uniquely sensitive, and therefore governed
by rigorous, industry-specific privacy and security regulations like the U.S. Health
Insurance Portability and Accountability Act (HIPAA). Second, the complexity, number,
and diversity of devices—especially network-connected devices—that make up this
infrastructure expose healthcare networks to a broader range of security and privacy
risks than “typical” network servers or endpoints.
The problem of vulnerable devices on sensitive networks has been latent for years.
But today three trends are converging to make it an immediate risk:
• Sharp rises in the volume, sophistication, and focus of malware, raising the
likelihood of, and damage from, malware attacks and data breaches
• Medical devices that incorporate more off-the-shelf hardware and software,
increasing their vulnerability to malware, hacking, and data theft
• New government incentives and mandates to share patient information
electronically, simultaneous with severe penalties for any loss, diversion,
or exposure
In this paper, we will first outline the risks introduced by networked medical
devices, and then present results from a 2010 survey by the College of Health
Information Management Executives (CHIME) to gain the perspective of industry
insiders. Finally, we will review some of the organizations, standards, and solutions
available to help hospitals, diagnostic centers, and clinics assess and address
issues introduced by networked medical devices.
Converging risks
The potential for networked medical devices to serve as a vector for cyber threats
is on the rise because of changes in the cyber-threat environment, the special
characteristics of medical devices, and a changing regulatory climate.
External risks: cyber threats
Cyber threats adapt to the opportunities and risks faced by their creators. The
nuisance of amateur online vandalism has been eclipsed by new opportunities for
professional criminals, created by high-bandwidth connections and an explosion
of commercial and financial information and transactions on the Web. Today’s
Internet threats are increasingly:
• Global—China is second only to the United States as a source of online threats,
and Brazil, source of several high-profile attacks, has emerged as number
three. Geographic variation in laws and enforcement complicates and slows
prosecution of cybercrimes.
advance reconnaissance on social networks, custom-crafted “spear phishing”
messages, multi-pronged attacks, and persistent data gathering over long
periods.
• Web based—All of the current top-ranked cyber attacks, including those that
implant keystroke loggers and other information-gathering tools, exploit
vulnerabilities in browsers and other popular applications.
2
• Automated—“Crimeware” toolkits accelerate the creation of custom exploits,
including deployment of botnets to launch global automated attacks. More than
90,000 unique variants of one such kit appeared in 2009 alone.
• Financially driven—Today’s attacks focus on financial information about
organizations and consumers. An underground online economy supports a brisk
trade in stolen information: credit card information, for example, sells between
$0.85 and $30.00, and bank account credentials from $15 to $850. 1
All organizations and consumers, not just hospitals and patients, face this threat
environment. But the sensitivity of medical information, and the exposure of
network-connected medical devices raise special risks in the healthcare industry.
Internal risks: medical devices
Enterprise networks may incorporate tens of thousands of endpoints, and while
security and data protection are constant concerns, the consensus is that the risks
are under control. What makes network-attached medical devices so different?
The answer is that even though newly released medical devices operate more like
computers, they are still treated as though they are different—in ways that carry
serious ramifications for security and data protection.
The PC revolution has transformed instruments and devices of all kinds, and
medical devices are no exception. Their increasing use of off-the-shelf hardware
and software technologies unlocks significant user-interface, performance, and
cost advantages. As devices grow more productive, hospitals use them to increase
staff efficiencies and they proliferate throughout hospitals. These sophisticated
devices are more likely to be connected to networks to create efficiencies and
enable control, data communication, management, and integration—exposing
them to the full range of risks that afflict other network endpoints.
But although medical devices share computers’ vulnerabilities, they can’t be
protected in the same ways:
• Responsibility for medical devices often resides with Biomedical (or Clinical)
Engineering departments, whose mission and training focus on calibration and
maintenance. Security and data protection are typically subordinated or shared
with the IT organization, for which medical devices are secondary to maintaining
core IT service levels.
• Long device lifecycles keep hardware, operating systems, communications
protocols, and applications systems in service on medical devices long after they
have disappeared from enterprise IT networks—so devices remain vulnerable to
exploits that are of no concern to desktops and laptops.
• Regulation has a paradoxical effect: the U.S. Federal Food and Drug
Administration (FDA) and its counterparts outside the U.S. stipulate that
medical device manufacturers, not owners, must control and validate device
configuration, including security updates. This delays delivery of vulnerability
patches to users, slows the pace of security and data-protection upgrades, and
keeps third-party security solutions, no matter how effective, off PCs embedded
in medical devices.
3
The government’s role: integration and privacy mandates
The unique status of medical devices excludes them from routine PC protections
—a situation that has persisted for years. But regulatory changes are forcing near-
term security and protection decisions that sometimes conflict. The U.S. federal
government and other organizations are attempting to cut duplication, errors, and
costs by integrating patient information from many sources into a single electronic
record available to legitimate parties. At the same time, privacy provisions require that
access to this information be convincingly blocked from all other parties.
The healthcare community is well aware of HIPAA requirements to protect patient
information. But unless medical devices can be secured, HIPAA protections are
difficult to reconcile with incentives for Electronic Medical Records under the
Health Information Technology for Economic and Clinical Health Act (HITECH Act)
provisions of the American Recovery and Reinvestment Act of 2009 (ARRA).
The CHIME member survey
The College of Health Information Management Executives is an organization that
supports Chief Information Officers (CIOs) and other senior leaders in healthcare
IT. Considering the spread of medical devices, the difficulty of protecting them and
their information, and the emerging potential conflict between digitization and
security of medical records, CHIME surveyed its members’ concerns about cyber
threats originating from, targeting, or propagated through network-connected
medical devices in an online survey conducted during August and September 2010.
Participants and devices
The 53 survey participants were predominantly director- or C-level executives
at large U.S. hospitals (median 551 beds). As seen in Figure 1, most of these
organizations have well over 1,000 medical devices. Almost 23 percent are network
connected; an additional 8 percent are network capable but not yet connected.
Wired connections outnumber wireless three to two. Figure 1 also reveals that the
concentration of both total and networked medical devices—for example, devices
per bed—is much higher at larger hospitals.
Figure 1: Medical devices in use at survey participants’ hospitals. Networked and network-ready
devices constitute more than 30 percent of the total.2
2 CHIME members are predominantly Healthcare IT executives; as a result, Figure 1 may underestimate the number of medical devices at hospitals where IT does not manage them, or manages them jointly with Biomedical Engineering.
4
Networked Medical Devices: Security and Privacy Threats
In 45 percent of these organizations, the Biomedical (or Clinical) Engineering
department alone manages medical devices, and in 45 percent they either share
management responsibility with IT (38 percent), or have consolidated Biomedical
Engineering and IT into a single group (7 percent). In only 6 percent of cases does
IT alone manage the devices; in 4 percent an outside group is responsible.
Figure 2: Responsibility for managing medical devices is typically assigned to the Biomedical/Clinical
Engineering department alone, or shared with IT.
Experience and concerns
Malware attacks on medical devices are more than a theoretical concern for survey
participants: more than a third of them had experienced a virus or other malware
on a medical device in the year preceding the survey, and a third of that group
experienced multiple incidents.
Figure 3: More than one-third of survey participants reported a cyber attack in the preceding year.
They also saw firsthand how difficult malware is to contain: in more than half of the
reported outbreaks, infections spread beyond a single device to a few devices, a
floor or department, or the entire hospital.
5
Networked Medical Devices: Security and Privacy Threats
Figure 4: More than half of reported outbreaks extended beyond a single device
Further, as shown in Figure 5, 47 percent of participants see malware threats as a
steady-state phenomenon—but 17 percent see them on the rise.
Figure 5: The majority of survey participants see malware attacks as steady or rising year upon year.
Steady or rising, the threat is serious. Two-thirds of participants rate cyber risks
from medical devices the same or greater than from general hospital IT. Their areas
of greatest concern are:
• Key risks: hacker penetration, privacy breach, virus infection, and virus
propagation
• Most serious impacts: patient care, clinical productivity, clinical and IT
remediation burdens
Networked Medical Devices: Security and Privacy Threats
Figure 6: Security concerns run the gamut of medical devices. These are the top 7 of 14 device types.
Initiatives
To date, network security initiatives account for most of the protection against
malware and information loss: secure Virtual Local Area Network architectures
protected from the outside by firewalls and “demilitarized zones”. Almost half of the
participants use two or more external protective measures in addition to protections
provided by the device manufacturer. Figure 7a illustrates the distribution of
protective measures, and Figure 7b shows their concentration.
Figure 7: a) Surveyed hospitals use network-based defenses to protect medical devices. b) Almost
half use two or more forms of network protection.
One of the most important measures for protecting any computing system
or medical device is a disciplined management and upgrade process. Device-
management solutions are an essential part of any security and privacy initiative.
More than 80 percent of surveyed hospitals used one or more automated
solutions—which are often bundled into suites—to help them manage medical
devices from purchase through decommissioning. About half use more than one
solution. Figure 8 shows the solutions they use.
7
Networked Medical Devices: Security and Privacy Threats
Figure 8: Hospitals use a full range of automated solutions to manage medical devices throughout
their lifecycles from purchase through end of life.
Survey summary
A midsize to large U.S. hospital relies on more than a thousand medical devices,
managed by Biomedical Engineering, either alone or jointly with IT. About one-third
of the devices are exposed to malware or data loss through network connections.
More than one-third of surveyed hospitals experienced one or more virus or
malware incidents in the past year—and half of these spread beyond the point of
entry. Responsible executives see the cyber-risk rates as steady but serious; they
worry most about hackers and privacy breaches on their networks, the security of
patient-connect devices, and impacts on patient care.
They use one or more network-based defenses to protect their devices, networks,
and patient information, count on automated tools to manage devices throughout
their lifecycles, and would generally welcome security and vulnerability rating
services for medical devices.
With HITECH incentives built into ARRA, and EMR initiatives generating
organizational support, now is the best time to extend the IT security envelope to
include medical devices. IEC 800001–1:2010 Application of risk management for IT- networks incorporating medical devices outlines a risk-management approach that
aligns well with the organization and processes of most hospitals.
Education—of both responsible departments and those affected by the changes
—is an important component of any solution. The following section offers links
to resources that offer background information, standards and regulatory
frameworks, and software solutions governing device and network security, access
control, lifecycle management, and data protection.
8
References
These articles report individual attacks on networked medical devices and security
trends in healthcare environments:
Wirth, A. “Cyber Crimes Pose Growing Threat to Medical Devices,” Biomedical
Instrumentation and Technology (BI&T), Jan/Feb 2011, Volume 45, Number 1.
Keen, Cynthia E. Conficker worm highlights PACS cybersecurity issues, AuntMinnie.
com, (online) June 2, 2009, accessed: February 1, 2011.
http://www.auntminnie.com/index.asp?Sec=sup&Sub=ris&Pag=dis&ItemId=86009
Massachusetts Medical Devices Journal LLC. Medical devices next on hackers’ target list? MassDevice.com, (online) April 5, 2010, accessed: December 7, 2010.
http://www.massdevice.com/blogs/massdevice/medical-devices-next-hackers-
target-list
Massachusetts Medical Devices Journal LLC. Confickered! Medical devices and digital medical records are getting hacked, MassDevice.com, (online) May 8, 2009,
accessed: December 7, 2010.
The Healthcare Information and Management Systems Society (HIMSS) and the
National Electrical Manufacturers Association (NEMA) address privacy issues
related to medical devices as part of the “Manufacturer Disclosure Statement for
Medical Device Security” joint initiative (MDS2). Note that MDS2 disclosures are not
catalogued and are provided to customers by request only.
National Electrical Manufacturers Association, Manufacturer Disclosure Statement for Medical Device Security (MDS2), NEMA.org, (online) September 29, 2008,
accessed: January 24, 2011.
HIMSS.org, (online), accessed: January 24, 2011.
http://www.himss.org/ASP/topics_medicalDevice.asp
The Patient Care Device Domain working group of Integrating the Healthcare
Enterprise deals primarily with clinical topics, such as alarm communication,
message syntax, and so on, but also addresses security, privacy, and configuration
management.
2010, accessed: January 24, 2011.
http://www.ihe.net/pcd/
9
The Clinical Engineering/IT (CE-IT) Community of the Association for the
Advancement of Medical Instrumentation (AAMI), American College of Clinical
Engineering (ACCE), and the Healthcare Information and Management Systems
Society (HIMSS) is working to bridge the gap between traditionally device-focused
clinical engineering and traditionally network-focused IT.
http://www.ceitcollaboration.org/
U.S. Food and Drug Administration, Reminder from FDA: Cybersecurity for Networked Medical Devices Is a Shared Responsibility, FDA.gov, (online) November 4, 2009,
accessed: January 24, 2011.
United States Computer Emergency Readiness Team, Cyber Security Tips, US-CERT.
gov, (online), accessed: January 24, 2011.
http://www.us-cert.gov/cas/tips/
Center for Engineering & Occupational Safety and Health (CEOSH) and U.S.
Department of Veterans Affairs), Medical Device Isolation Architecture Guide, HIMSS.
org, (online) April 30, 2004, accessed: January 24, 2011.
http://www.himss.org/Content/files/VA_VLAN_Guide_040430.pdf
http://www.hitsp.org/ConstructSet_Details.aspx?&PrefixAlpha=5&PrefixNumeric=905
Cooper, Todd and Eagles, Sherman, Aiming for Patient Safety in the Networked Healthcare Environment, AAMI.org, (online) 2010, accessed: January 24, 2011.
http://www.aami.org/publications/ITHorizons/2010/18-20_StandardsRegs_Cooper.pdf
10
More information
Call toll-free 1 (800) 745-6054
To speak with a Product Specialist outside the U.S.
For specific country offices and contact numbers, please visit our website.
About Symantec
Symantec is a global leader in providing security, storage and systems
management solutions to help consumers and organizations secure and manage
their information-driven world. Our software and services protect against more
risks at more points, more completely and efficiently, enabling confidence
wherever information is used or stored. Headquartered in Mountain View, Calif.,
Symantec has operations in 40 countries. More information is available at
www.symantec.com.
+1 (650) 527-8000
+1 (800) 721-3934
www.symantec.com
Networked Medical Devices: Security and Privacy Threats Healthcare IT at a crossroads
Networked Medical Devices: Security and Privacy Threats
CONTENTS
The government’s role: integration and privacy mandates . . . . . . . . . . . . . 3
The CHIME member survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Participants and devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Experience and concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Introduction
Healthcare information technology (IT) uses many of the same infrastructure
elements, applications, off-the-shelf technologies, and processes used by enterprise IT
in general. But healthcare networks are unique in two important respects. First, they
contain and transmit information that is uniquely sensitive, and therefore governed
by rigorous, industry-specific privacy and security regulations like the U.S. Health
Insurance Portability and Accountability Act (HIPAA). Second, the complexity, number,
and diversity of devices—especially network-connected devices—that make up this
infrastructure expose healthcare networks to a broader range of security and privacy
risks than “typical” network servers or endpoints.
The problem of vulnerable devices on sensitive networks has been latent for years.
But today three trends are converging to make it an immediate risk:
• Sharp rises in the volume, sophistication, and focus of malware, raising the
likelihood of, and damage from, malware attacks and data breaches
• Medical devices that incorporate more off-the-shelf hardware and software,
increasing their vulnerability to malware, hacking, and data theft
• New government incentives and mandates to share patient information
electronically, simultaneous with severe penalties for any loss, diversion,
or exposure
In this paper, we will first outline the risks introduced by networked medical
devices, and then present results from a 2010 survey by the College of Health
Information Management Executives (CHIME) to gain the perspective of industry
insiders. Finally, we will review some of the organizations, standards, and solutions
available to help hospitals, diagnostic centers, and clinics assess and address
issues introduced by networked medical devices.
Converging risks
The potential for networked medical devices to serve as a vector for cyber threats
is on the rise because of changes in the cyber-threat environment, the special
characteristics of medical devices, and a changing regulatory climate.
External risks: cyber threats
Cyber threats adapt to the opportunities and risks faced by their creators. The
nuisance of amateur online vandalism has been eclipsed by new opportunities for
professional criminals, created by high-bandwidth connections and an explosion
of commercial and financial information and transactions on the Web. Today’s
Internet threats are increasingly:
• Global—China is second only to the United States as a source of online threats,
and Brazil, source of several high-profile attacks, has emerged as number
three. Geographic variation in laws and enforcement complicates and slows
prosecution of cybercrimes.
advance reconnaissance on social networks, custom-crafted “spear phishing”
messages, multi-pronged attacks, and persistent data gathering over long
periods.
• Web based—All of the current top-ranked cyber attacks, including those that
implant keystroke loggers and other information-gathering tools, exploit
vulnerabilities in browsers and other popular applications.
2
• Automated—“Crimeware” toolkits accelerate the creation of custom exploits,
including deployment of botnets to launch global automated attacks. More than
90,000 unique variants of one such kit appeared in 2009 alone.
• Financially driven—Today’s attacks focus on financial information about
organizations and consumers. An underground online economy supports a brisk
trade in stolen information: credit card information, for example, sells between
$0.85 and $30.00, and bank account credentials from $15 to $850. 1
All organizations and consumers, not just hospitals and patients, face this threat
environment. But the sensitivity of medical information, and the exposure of
network-connected medical devices raise special risks in the healthcare industry.
Internal risks: medical devices
Enterprise networks may incorporate tens of thousands of endpoints, and while
security and data protection are constant concerns, the consensus is that the risks
are under control. What makes network-attached medical devices so different?
The answer is that even though newly released medical devices operate more like
computers, they are still treated as though they are different—in ways that carry
serious ramifications for security and data protection.
The PC revolution has transformed instruments and devices of all kinds, and
medical devices are no exception. Their increasing use of off-the-shelf hardware
and software technologies unlocks significant user-interface, performance, and
cost advantages. As devices grow more productive, hospitals use them to increase
staff efficiencies and they proliferate throughout hospitals. These sophisticated
devices are more likely to be connected to networks to create efficiencies and
enable control, data communication, management, and integration—exposing
them to the full range of risks that afflict other network endpoints.
But although medical devices share computers’ vulnerabilities, they can’t be
protected in the same ways:
• Responsibility for medical devices often resides with Biomedical (or Clinical)
Engineering departments, whose mission and training focus on calibration and
maintenance. Security and data protection are typically subordinated or shared
with the IT organization, for which medical devices are secondary to maintaining
core IT service levels.
• Long device lifecycles keep hardware, operating systems, communications
protocols, and applications systems in service on medical devices long after they
have disappeared from enterprise IT networks—so devices remain vulnerable to
exploits that are of no concern to desktops and laptops.
• Regulation has a paradoxical effect: the U.S. Federal Food and Drug
Administration (FDA) and its counterparts outside the U.S. stipulate that
medical device manufacturers, not owners, must control and validate device
configuration, including security updates. This delays delivery of vulnerability
patches to users, slows the pace of security and data-protection upgrades, and
keeps third-party security solutions, no matter how effective, off PCs embedded
in medical devices.
3
The government’s role: integration and privacy mandates
The unique status of medical devices excludes them from routine PC protections
—a situation that has persisted for years. But regulatory changes are forcing near-
term security and protection decisions that sometimes conflict. The U.S. federal
government and other organizations are attempting to cut duplication, errors, and
costs by integrating patient information from many sources into a single electronic
record available to legitimate parties. At the same time, privacy provisions require that
access to this information be convincingly blocked from all other parties.
The healthcare community is well aware of HIPAA requirements to protect patient
information. But unless medical devices can be secured, HIPAA protections are
difficult to reconcile with incentives for Electronic Medical Records under the
Health Information Technology for Economic and Clinical Health Act (HITECH Act)
provisions of the American Recovery and Reinvestment Act of 2009 (ARRA).
The CHIME member survey
The College of Health Information Management Executives is an organization that
supports Chief Information Officers (CIOs) and other senior leaders in healthcare
IT. Considering the spread of medical devices, the difficulty of protecting them and
their information, and the emerging potential conflict between digitization and
security of medical records, CHIME surveyed its members’ concerns about cyber
threats originating from, targeting, or propagated through network-connected
medical devices in an online survey conducted during August and September 2010.
Participants and devices
The 53 survey participants were predominantly director- or C-level executives
at large U.S. hospitals (median 551 beds). As seen in Figure 1, most of these
organizations have well over 1,000 medical devices. Almost 23 percent are network
connected; an additional 8 percent are network capable but not yet connected.
Wired connections outnumber wireless three to two. Figure 1 also reveals that the
concentration of both total and networked medical devices—for example, devices
per bed—is much higher at larger hospitals.
Figure 1: Medical devices in use at survey participants’ hospitals. Networked and network-ready
devices constitute more than 30 percent of the total.2
2 CHIME members are predominantly Healthcare IT executives; as a result, Figure 1 may underestimate the number of medical devices at hospitals where IT does not manage them, or manages them jointly with Biomedical Engineering.
4
Networked Medical Devices: Security and Privacy Threats
In 45 percent of these organizations, the Biomedical (or Clinical) Engineering
department alone manages medical devices, and in 45 percent they either share
management responsibility with IT (38 percent), or have consolidated Biomedical
Engineering and IT into a single group (7 percent). In only 6 percent of cases does
IT alone manage the devices; in 4 percent an outside group is responsible.
Figure 2: Responsibility for managing medical devices is typically assigned to the Biomedical/Clinical
Engineering department alone, or shared with IT.
Experience and concerns
Malware attacks on medical devices are more than a theoretical concern for survey
participants: more than a third of them had experienced a virus or other malware
on a medical device in the year preceding the survey, and a third of that group
experienced multiple incidents.
Figure 3: More than one-third of survey participants reported a cyber attack in the preceding year.
They also saw firsthand how difficult malware is to contain: in more than half of the
reported outbreaks, infections spread beyond a single device to a few devices, a
floor or department, or the entire hospital.
5
Networked Medical Devices: Security and Privacy Threats
Figure 4: More than half of reported outbreaks extended beyond a single device
Further, as shown in Figure 5, 47 percent of participants see malware threats as a
steady-state phenomenon—but 17 percent see them on the rise.
Figure 5: The majority of survey participants see malware attacks as steady or rising year upon year.
Steady or rising, the threat is serious. Two-thirds of participants rate cyber risks
from medical devices the same or greater than from general hospital IT. Their areas
of greatest concern are:
• Key risks: hacker penetration, privacy breach, virus infection, and virus
propagation
• Most serious impacts: patient care, clinical productivity, clinical and IT
remediation burdens
Networked Medical Devices: Security and Privacy Threats
Figure 6: Security concerns run the gamut of medical devices. These are the top 7 of 14 device types.
Initiatives
To date, network security initiatives account for most of the protection against
malware and information loss: secure Virtual Local Area Network architectures
protected from the outside by firewalls and “demilitarized zones”. Almost half of the
participants use two or more external protective measures in addition to protections
provided by the device manufacturer. Figure 7a illustrates the distribution of
protective measures, and Figure 7b shows their concentration.
Figure 7: a) Surveyed hospitals use network-based defenses to protect medical devices. b) Almost
half use two or more forms of network protection.
One of the most important measures for protecting any computing system
or medical device is a disciplined management and upgrade process. Device-
management solutions are an essential part of any security and privacy initiative.
More than 80 percent of surveyed hospitals used one or more automated
solutions—which are often bundled into suites—to help them manage medical
devices from purchase through decommissioning. About half use more than one
solution. Figure 8 shows the solutions they use.
7
Networked Medical Devices: Security and Privacy Threats
Figure 8: Hospitals use a full range of automated solutions to manage medical devices throughout
their lifecycles from purchase through end of life.
Survey summary
A midsize to large U.S. hospital relies on more than a thousand medical devices,
managed by Biomedical Engineering, either alone or jointly with IT. About one-third
of the devices are exposed to malware or data loss through network connections.
More than one-third of surveyed hospitals experienced one or more virus or
malware incidents in the past year—and half of these spread beyond the point of
entry. Responsible executives see the cyber-risk rates as steady but serious; they
worry most about hackers and privacy breaches on their networks, the security of
patient-connect devices, and impacts on patient care.
They use one or more network-based defenses to protect their devices, networks,
and patient information, count on automated tools to manage devices throughout
their lifecycles, and would generally welcome security and vulnerability rating
services for medical devices.
With HITECH incentives built into ARRA, and EMR initiatives generating
organizational support, now is the best time to extend the IT security envelope to
include medical devices. IEC 800001–1:2010 Application of risk management for IT- networks incorporating medical devices outlines a risk-management approach that
aligns well with the organization and processes of most hospitals.
Education—of both responsible departments and those affected by the changes
—is an important component of any solution. The following section offers links
to resources that offer background information, standards and regulatory
frameworks, and software solutions governing device and network security, access
control, lifecycle management, and data protection.
8
References
These articles report individual attacks on networked medical devices and security
trends in healthcare environments:
Wirth, A. “Cyber Crimes Pose Growing Threat to Medical Devices,” Biomedical
Instrumentation and Technology (BI&T), Jan/Feb 2011, Volume 45, Number 1.
Keen, Cynthia E. Conficker worm highlights PACS cybersecurity issues, AuntMinnie.
com, (online) June 2, 2009, accessed: February 1, 2011.
http://www.auntminnie.com/index.asp?Sec=sup&Sub=ris&Pag=dis&ItemId=86009
Massachusetts Medical Devices Journal LLC. Medical devices next on hackers’ target list? MassDevice.com, (online) April 5, 2010, accessed: December 7, 2010.
http://www.massdevice.com/blogs/massdevice/medical-devices-next-hackers-
target-list
Massachusetts Medical Devices Journal LLC. Confickered! Medical devices and digital medical records are getting hacked, MassDevice.com, (online) May 8, 2009,
accessed: December 7, 2010.
The Healthcare Information and Management Systems Society (HIMSS) and the
National Electrical Manufacturers Association (NEMA) address privacy issues
related to medical devices as part of the “Manufacturer Disclosure Statement for
Medical Device Security” joint initiative (MDS2). Note that MDS2 disclosures are not
catalogued and are provided to customers by request only.
National Electrical Manufacturers Association, Manufacturer Disclosure Statement for Medical Device Security (MDS2), NEMA.org, (online) September 29, 2008,
accessed: January 24, 2011.
HIMSS.org, (online), accessed: January 24, 2011.
http://www.himss.org/ASP/topics_medicalDevice.asp
The Patient Care Device Domain working group of Integrating the Healthcare
Enterprise deals primarily with clinical topics, such as alarm communication,
message syntax, and so on, but also addresses security, privacy, and configuration
management.
2010, accessed: January 24, 2011.
http://www.ihe.net/pcd/
9
The Clinical Engineering/IT (CE-IT) Community of the Association for the
Advancement of Medical Instrumentation (AAMI), American College of Clinical
Engineering (ACCE), and the Healthcare Information and Management Systems
Society (HIMSS) is working to bridge the gap between traditionally device-focused
clinical engineering and traditionally network-focused IT.
http://www.ceitcollaboration.org/
U.S. Food and Drug Administration, Reminder from FDA: Cybersecurity for Networked Medical Devices Is a Shared Responsibility, FDA.gov, (online) November 4, 2009,
accessed: January 24, 2011.
United States Computer Emergency Readiness Team, Cyber Security Tips, US-CERT.
gov, (online), accessed: January 24, 2011.
http://www.us-cert.gov/cas/tips/
Center for Engineering & Occupational Safety and Health (CEOSH) and U.S.
Department of Veterans Affairs), Medical Device Isolation Architecture Guide, HIMSS.
org, (online) April 30, 2004, accessed: January 24, 2011.
http://www.himss.org/Content/files/VA_VLAN_Guide_040430.pdf
http://www.hitsp.org/ConstructSet_Details.aspx?&PrefixAlpha=5&PrefixNumeric=905
Cooper, Todd and Eagles, Sherman, Aiming for Patient Safety in the Networked Healthcare Environment, AAMI.org, (online) 2010, accessed: January 24, 2011.
http://www.aami.org/publications/ITHorizons/2010/18-20_StandardsRegs_Cooper.pdf
10
More information
Call toll-free 1 (800) 745-6054
To speak with a Product Specialist outside the U.S.
For specific country offices and contact numbers, please visit our website.
About Symantec
Symantec is a global leader in providing security, storage and systems
management solutions to help consumers and organizations secure and manage
their information-driven world. Our software and services protect against more
risks at more points, more completely and efficiently, enabling confidence
wherever information is used or stored. Headquartered in Mountain View, Calif.,
Symantec has operations in 40 countries. More information is available at
www.symantec.com.
+1 (650) 527-8000
+1 (800) 721-3934
www.symantec.com